October 24 Auth0 Community Ask Me Anything: Tailor Your Experience with Universal Login — From Low-Code to Pro-Code

We’re excited to invite you to our next interactive Auth0 Community Ask Me Anything (AMA) session on Thursday, October 24, 2024! This is your chance to learn how you can leverage Auth0’s Universal Login to provide a great experience that is secure, easy to launch, maintain, and fully on-brand. Whether you’re looking for quick, no-code solutions or advanced pro-code customizations, Universal Login has you covered.

Explore the wide range of benefits, including built-in security best practices, support for advanced features like passkeys and MFA, and extensive customization options to fit your specific needs. You’ll also enjoy localization, accessibility compliance, enhanced performance, and faster time to launch, all with minimal maintenance required.

How It Works
Starting October 8 through October 23, Auth0 developers, customers, and community members can submit their Universal Login questions directly in the Auth0 Community. Just hit the “Reply” button on this dedicated thread! On October 24, from 9 am to 11 am PST, our product experts will provide detailed, written answers to all questions submitted during this 2-week period. As a bonus, participants will earn points and a special badge!

What You’ll Learn

• How to secure your applications using a best-in-class hosted auth solution that highlights your brand.
• Tips and tricks for customizing Universal Login to fit your business needs.
• When and how to leverage pro-code capabilities for more advanced customization.

Ask Questions here by hitting the reply button below. Be sure to submit your questions from today, October 8, to October 23, 2024.

Featured Experts

Michael Swanson

1585×1600 600 KB

I am a Sr. Product Manager helping lead CIC’s Universal Login Branding and Experience team. Prior to joining Okta in June 2023, I worked primarily with early stage startups as a hands-on Product Manager, team lead, and product designer, while also writing (mostly frontend) code.

Brandon Simons

512×512 211 KB

I am a Principal Product Manager leading CIC’s Login team focused on delivering experiences that are easy to build and a delight to use. Prior to joining Okta, I worked in Identity at a startup and enterprise applications at Microsoft.earching for your answer.

How do I add custom elements to the existing signup and login screens?

How do I use Auth0 CLI to manage my customizations to UL?

How do I localize my custom elements?

How do we know if we are using Universal Login? Am I using Classic?

Unfortunately this event will be at 3am in my time zone, so a little difficult to attend. But the question I would like to ask is when this issue will be fixed:

It’s very confusing to our customers to get an error at the same time as being told a verification code has been sent.

During login, how can I share user metadata from one tenant to another?

Background: My company uses two Auth0 tenants in production. Tenant A has our legacy user database, including important custom metadata, and Tenant B has our user-facing login page, whose behavior depends on the custom metadata. During login, we use a Rule in Tenant A to copy a field from Tenant A user_metadata into an idToken claim. Then, in Tenant B, we have a second Rule which reads the claim as a property on the user (e.g. const claimValue = user[claimName];).

Rules are going away, so I’m rewriting the above logic using Actions, but I’ve run into two problems.

Problem 1: I’ve attempted to migrate the Tenant A rule to an action, and I’m following Auth0’s docs for how to set id token claim from an Action: api.idToken.setCustomClaim(namespacedClaimName, claimValue);. The namespacedClaimName and claimValue are identical between the Rule and my Action. However, when I replace the Rule with my Action, Tenant B’s Rule can’t see the claim anymore, because the claim name is no longer defined on the Tenant B user object.

Problem 2: I will also need to migrate Tenant B’s Rule to an Action, but Actions are not allowed to read custom properties that were set on the user object, as my Rule currently does. A popular Auth0 Community thread which asks how to read token claims from an Action has not been answered (the post mentions accessToken, but the same question applies to id token). The Post-Login Actions API docs describe how to set token claims, but not how to read them. I’d be willing to put this info elsewhere instead of in a token, but (I think) userMetadata and appMetadata from Tenant A are not available in Tenant B.

I am using Azure Isolated Function Apps (dotnet 8) as microservices.

My architecture consists of a number of these APIs and one of them having the ability to create/manage user accounts within it.

These APIs are called by an Android, iOS and Angular clients. I want to use Universal login to sign in using social/db etc and for the flow to then pass the token back to the client (for the minute concentrate on Android). That client then talks to my organisation API to enrich the user object (we have dynamic permissions) for the client to use.

Each of the other APIs is then called for whatever functionality they need and they then ask the DB based on the userid held in the token.

How do I set this up and structure it within my account? It feels wrong to add what could easily be lots of APIs as they only need to verify that the token is correct not have any security functionality.

Is there some good examples for .net8 isolated functions (not the same as asp.net which you have lots of examples about) microservices and the best way of calling APIs from an android client whilst automatically refreshing stale tokens and validating they are correct (ideally with unit tests)?

Please can you point to examples if I have missed them.

Thank you!

In NUL, can we display the login button without a password? Along with the social login buttons?

Can we have a phone number + phone validation (token sent by SMS) in the signup flow?

What are the future plans? Is there a public roadmap?

I have a React SPA using the react auth0-sdk, where we automatically logout a user after x minutes of inactivity in the application. The web app then redirects to the login page of the app (I’m using Universal Login with custom page)
Now when the user comes back to the page after the session has expired in Auth0, and try to login, they see the page saying “Oops! Something went wrong” with the details saying " You may have pressed the back button, refreshed during login, opened too many login dialogs, or there is some issue with cookies, since we couldn’t find your session. Try logging in again from the application and if the problem persists please contact the administrator."

What would be a good solution to this error in this particular scenario?

Is it possible to make New Universal Login GDPR-compliant on the free plan? I think it requires a checkmark before sign up/registration, how do I do that?

How to automatically create a new organization for a new user who just signed up using Universal Login?

The ideal flow: user first login → action creates org → login flow resumes, user picks org → user authenticated and org_id on token.

Background:

We have an application that requires Business Users. So, every user has to have an ORG. Currently, we have to create a new ORG manually in Auth0 for every customer and then invite their users. When the users try to sign up themselves, they get an error message: “You are not a member of any ORG.”

We would like to streamline the onboarding experience and let users sign up on their own using different connections: Google, Microsoft, and Auth0 Database. But for that, we have to create ORG for each of them right after the sign-up (or first login in case of social connections) but before the sessions are issued. So after that, the user has the new ORG ID in their JWT token, and our app can work with it.

How can I create a new ORG in the action and add its ID to the org_id in the token?

I’ve struggled with this a lot, but unfortunately, I haven’t found a way to do it:

1. I’ve tried to create an ORG in actions on Post Login, but the new ORG ID is not present in the token as org_id. Exactly as described here: Create and use organization on first login
2. I’ve tried to creat an ORG on Pre User Registration and Post User Registrations. But it does not work with social connections as these events are not triggered for them.
3. I found that on your Saas Start template, you somehow use two Auth0 applications to let the user create a new ORG on the first login. But I haven’t figured out how it works.
   a. SaaStart Management (Types of Users: Individuals)—To log in a user for the first time without an ORG, let them create a new ORG and somehow switch to the second app, which requires the user to give an ORG.
   b. SaaStart Dashboard (Types of Users: Business Users) - to continue using the app.

Question unrelated to the Universal Login:
Can you please explain the approach (3) you use in the Saas Start template?

Any plans for a Pre-Password reset hook? or any other way to send a password reset link for Social accounts? (by creating an email authentication method in the background, for example)

Custom HTML, CSS, and Javascript can be added to our existing signup and login screens using custom prompts. For more information checkout our online documentation.

To add entirely new screens to your signup and login journeys checkout Forms.

Managing your customizations through Auth0 CLI is as simple as running one command.

After installing Auth0 CLI, run:

auth0 universal-login customize

This will load a browser UI that is connected to your Auth0 tenant, allowing you to make and preview changes before deploying them to your tenant.

From here you can edit:

Theme

auth0-ul-customize-theme6048×3284 1.83 MB

Page Template

auth0-ul-customize-template6048×3284 1.87 MB

Prompt Text

auth0-ul-customize-text6048×3284 2.05 MB

Prompt Partials

auth0-ul-customize-partials6048×3284 1.5 MB

Yes, this is possible in a couple different ways.

1. Passwordless Connections enable you to sign up & login users with phone identifiers and an SMS delivered OTP code. Documentation: link and and link.

2. This year we have made additional improvements to require users that sign up with a phone number (or email) on a database connection to also verify their number during sign up. Phone number and email verification on sign up are both available today. Email Verification Announcement

We do not have a published public roadmap at this time. However, we are continuously learning about more scenarios that we can improve upon, and working to deliver a great product.

Your Auth0 tenant can run in one of 3 modes:

1. Classic Login only
2. Universal Login only
3. A Hybrid of Universal AND Classic Login

Checkout our online documentation to understand the difference between Classic and Universal Login.

To determine which mode your tenant is using:

In the management dashboard, check the Universal Login Advanced Settings page (Branding > Advanced Options) to see if the tenant is in mode 1 (Classic)

branding-advanced-settings2122×1686 336 KB

If Universal Login is selected here it is still possible that the tenant is using mode 3 (Hybrid). To verify if the tenant is using mode 2 (Universal) or 3 (Hybrid) you’ll need to check the Advanced Settings for:

Login

hybrid-login2114×1126 180 KB

Password Reset

hybrid-password-reset2160×792 48.7 KB

Multi-Factor Authentication

hybrid-mfa2164×864 48.3 KB

If any of these settings are enabled, then the tenant is in mode 3 (Hybrid) and is using Classic for the enabled screens.